Common use of to 2 Clause in Contracts

to 2. to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation. not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, save where such disclosure or transfer is specifically authorised under this Framework Agreement or is required by Law). For the avoidance of doubt to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex. request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information; ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data. take all reasonable steps to ensure the reliability and integrity of any of its Personnel who have access to the Personal Data and ensure that its Personnel: are aware of and comply with their duties under this Annex 1 (Joint Controller Agreement) and those in respect of Confidential Information; are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so; have undergone adequate training in the use, care, protection and handling of personal data as required by the applicable Data Protection Legislation; ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Contractor holds; and ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event. Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its’ obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations Data Protection Breach Without prejudice to paragraph 3.2, each Party shall notify the other Party promptly and without undue delay, and in any event within 48 hours, upon becoming aware of any Personal Data Breach or circumstances that are likely to give rise to a Personal Data Breach, providing the other Party and its advisors with: sufficient information and in a timescale which allows the other Party to meet any obligations to report a Personal Data Breach under the Data Protection Legislation; all reasonable assistance, including: co-operation with the other Party and the Information Commissioner investigating the Personal Data Breach and its cause, containing and recovering the compromised Personal Data and compliance with the applicable guidance; co-operation with the other Party including taking such reasonable steps as are directed by ▇▇▇ to assist in the investigation, mitigation and remediation of a Personal Data Breach; co-ordination with the other Party regarding the management of public relations and public statements relating to the Personal Data Breach; providing the other Party and to the extent instructed by the other Party to do so, and/or the Information Commissioner investigating the Personal Data Breach, with complete information relating to the Personal Data Breach, including, without limitation, the information set out in paragraph 3.2. Each Party shall take all steps to restore, re-constitute and/or reconstruct any Personal Data where it has lost, damaged, destroyed, altered or corrupted as a result of a Personal Data Breach as if it was that Party’s own data at its own cost with all possible speed and shall provide the other Party with all reasonable assistance in respect of any such Personal Data Breach, including providing the other Party, as soon as possible and within 48 hours of the Personal Data Breach relating to the Personal Data Breach, in particular: the nature of the Personal Data Breach; the nature of Personal Data affected; the categories and number of Data Subjects concerned; the name and contact details of the Contractor’s Data Protection Officer or other relevant contact from whom more information may be obtained; measures taken or proposed to be taken to address the Personal Data Breach; and describe the likely consequences of the Personal Data Breach. Each Party shall take all steps to restore, re-constitute and/or reconstruct any Personal Data where it has lost, damaged, destroyed, altered or corrupted as a result of a Personal Data Breach as if it was that Party’s own data at its own cost with all possible speed and shall provide the other Party with all reasonable assistance in respect of any such Personal Data Breach, including providing the other Party, as soon as possible and within 48 hours of the Personal Data Breach relating to the Personal Data Breach, in particular: the nature of the Personal Data Breach; the nature of Personal Data affected; the categories and number of Data Subjects concerned; the name and contact details of the Contractor’s Data Protection Officer or other relevant contact from whom more information may be obtained; measures taken or proposed to be taken to address the Personal Data Breach; and describe the likely consequences of the Personal Data Breach. Audit The Contractor shall permit: DfE, or a third-party auditor acting under DfE’s direction, to conduct, at DfE’s cost, data privacy and security audits, assessments and inspections concerning the Contractor’s data security and privacy procedures relating to Personal Data, its compliance with this Annex 1 and the Data Protection Legislation. DfE, or a third-party auditor acting under DfE’s direction, access to premises at which the Personal Data is accessible or at which it is able to inspect any relevant records, including the record maintained under Article 30 GDPR by the Contractor so far as relevant to the Framework Agreement, and procedures, including premises under the control of any third party appointed by the Contractor to assist in the provision of the Services. DfE may, in its sole discretion, require the Contractor to provide evidence of the Contractor’s compliance with paragraph 4.1 in lieu of conducting such an audit, assessment or inspection. Impact Assessments The Parties shall: provide all reasonable assistance to each other to prepare any Data Protection Impact Assessment as may be required (including provision of detailed information and assessments in relation to processing operations, risks and measures); maintain full and complete records of all processing carried out in respect of the Personal Data in connection with this Framework Agreement, in accordance with the terms of Article 30 GDPR.